I don't think the agents made up "claims" or "crimes" that Ulbricht was supposed to have committed. But rather they committed crimes themselves, by stealing some BTC. I don't think anything that they did demonstrates that Ulbricht did not do what he was convicted of doing.

They did much more than steal some bitcoins according to the indictment. The investigators, in an effort to conceal their criminality and in bad faith did systematically conceal and destroy material evidence collected during their investigation. The investigators had administrator access to the Silk Road systems which they used to rob the silk road service and then framed the original owner of their admin account for the theft (and then, with another account, offered to conduct a "hit" against that admin to extract more money from DPR) in one of many (successful) extortion attempts they carried out over months-- spanning back long before the government had any idea who DPR might be (e.g. in April 2013 they believed it was "A.A."). Their unlawful actions were not limited to SR, e.g. Force ripped off a random user of the CoinMKT exchange to the tune of a quarter million dollars where he was moonlighting (against policy and in a conflict of interest) as their compliance officer. When Force's improper use of an administrative subpoena (to attempt to unblock his rightfully suspicious-flagged account) was reported to his superior by Venmo (a payment processor subsidiary of Paypal) he responded by attempting to seize Venmo's accounts.

Lets put aside for a moment Force and Bridge's roles as law enforcement and read their indictment as though they were just private individuals. Considering their access, strongly established involvement (e.g. the money trail connecting _them_ to SR appears to be much stronger than the money trail connecting Ross to SR), established pattern of fraudulent and vindictive activities including framing C.G. for the theft of bitcoin; they'd make a nice direction to throw doubt at the prosecutions claims and support of Ross' "it was someone else" argument.

Consider the counterfactual with the character portrait painted in their indictment in mind: If Force and/or Bridges had had the opportunity to take over the operation of SR (from which they could rip people off on a greater scale), would they have done so? I think the picture painted by the indictment says yes. If they had and Ross pissed them off, would they have framed him? I think the indictment says yes (or even without pissing them off: They seized MTGox's US accounts immediately after successfully getting their own funds out (to the detriment of everyone now suffering from MTGox's insolvency)). I think this is a much more powerful line of argument than "maybe magicaltux did it", at least. They destroyed evidence related to their own interactions with magicaltux (and appeared to have made a successful unlawful forfeiture against MTGox as part of their criminal activities). In the story told in the indictment, these parties had the motive, the means, and opportunity that would have permitted them to frame Ross in order to conceal their own criminality (or to protect someone else who was paying them more); and the defense was apparently prohibited from presenting this in the trial.

No doubt the prosecution did their hardest to separate out any potentially poisoned evidence, but these parties were the states only inside eyes inside silkroad. It seems unlikely to me that any of the later evidence was derived in isolation of their input, but regardless: it appears that they'd heavily spoiled the crime scene before any of the other investigators arrived.

What this actually means in terms of the actual law and procedures in the court, but I can't imagine that it would have had no effect on the jury unless they were prohibited from hearing it, nor can I really imagine them being prohibited from hearing it if it had been anything other than law enforcement agents (e.g. if it had just been other random criminals). But they were. I can't imagine why the defense didn't delay the trial so that more of this information could be presented.

This information has certainly made a number of strange things I observed make more sense.

Edit: Ah, I see Ross' attorney has made a statement: http://freeross.org/ulbrichts-attorneys-statement-regarding-silk-road-corruption/ Seems that I called at least part of their approach, plus apparently the state used the existence of this other prosecution to suppress other evidence from being presented. Hopefully Dratel will now move to have whatever relevant filings or orders were made regarding this unsealed, so we can get a more objective view of how much this prejudiced the case.

Cryptography has never been a significant part of cryptocurrency - even though it may share the first few letters. It works on a system of digital signatures.

It would seem that you actually do not understand what cryptography is in the modern sense.

A fundamental nature of information is that it wants to be freely copied everywhere to everyone. That any bit is equal and indistinguishable from any other bit of the same value and that any bit is eventually known to all who care. Cryptography is all that technology by which we hope to confine and constrain the nature of information, to put up fences and direct it to our exclusive purposes, against all attacks and in defiance of the seemingly (and perhaps actually) impossible. Digital signatures are cryptography by any modern definition and utilize the same tools and techniques (for example, a DSA signature is a linear equation encrypted with an additively homorphic encryption), and suffer from most of the same challenges as the message encryption systems to which you seem to be incorrectly defining cryptography as equivalent. Moreover, the use of digital signatures isn't the only (or even most relevant) aspect of cryptography in cryptocurrencies-- e.g. the prevention of double spending of otherwise perfectly copyable and indistinguishable information in a decentralized system is a cryptographic problem which we address using cryptographic tools, and-- like all other practical cryptography-- achieve far less than perfect confidence in our solution. As are more modest ends like interacting with strangers but not being subject to resource exhaustion from them.

Far more so than other sub-fields of engineering, cryptographic systems are doing something which is fundamentally at odds with nature and share an incredible fragility and subtly as a result (and perhaps all are failures, we have no proof otherwise).

A failure to understand and respect these considerations has resulted in a lot of harmful garbage and dysfunctional software.

Actually, it seems the vulnerability has already been identified in 2013:

That isn't what Cryddit is describing at least not precisely, and of course that was fixed years ago. (The 97% thing is just because there are long forgotten nodes left running on old software that no one maintains; they likely don't have wallets.)

I don't believe Cryddit is correct; but his description isn't precise enough for me to tell for sure. I /think/ what he's saying is that I first tell all nodes a dust output that nodes won't mempool and likely won't get mined, then later I give nodes a transaction spending that transaction with an invalid signature. To most nodes this second transaction will be an orphan (spends an input they don't know about). But Cryddit believes the recipient of the transaction will DOS ban you. I think this is incorrect: first, if the transaction was mempool rejected then it wouldn't end up in their wallet unless it gets mined (in which case it would be available in the utxo set to all nodes), secondly even if it was in their wallet the wallet is not consulted for lookups on incoming transactions. But perhaps Cryddit would be kind enough to clarify his thinking?

There are ways we know those dust txn could be used to reduce users' privacy though... send them to nodes that don't implement a dust check and then observe them rebroadcasting them when they don't get mined for a long time. This is part of why the anti-dust rules were implemented.

Are you having a bad day? Your message seems needlessly antagonistic. (Edit: Ah you edited your post. ... OKAY, yea, tone can be hard to convey.)

That particular flaw is only somewhat related to deniability, although it's not unrelated. Please refer to the prior conversion, I remarked that the specification was largely designed as a brainwallet scheme as one of the general negatives against it. You claimed this was inaccurate, assuming a particular model of use which is intentionally not mandatory, I clarified.

Say there exist two Bitcoin Core wallets encrypted with the same passphrase. Can anyone use their keys to prove that they are linked? _No_. Any existing wallet you have the private keys for can be encrypted with any passphrase. There is no linkage created by using a particular storage scheme. Even to whatever extent that someone way convinced you were the owner of both because they personally found you in possession of two wallet files and the key,that proof isn't transferable-- they could have fabricated that evidence themselves.

Now say there exist two BIP39 wallets sharing a mnemonic or sharing a password. Can anyone use their keys and the mnemonic data to prove that they are linked? Yes. Because BIP39 generates a key using a one way function instead of encrypting a uniform value with (a requirement for working with short user generated strings), all usage of the same data will be linked. It may be surprising to people that using this facility (which, at best, only protects against fringe threats of the sort that one probably ought not worry about) can leave them more exposed to other fringe threats. It could be called 'denyable' relative to a single wallet for everything, but it's very much less denyable than two totally separate wallets, or two wallets encrypted with the same passphrase. Likewise, its not possible to rotate your passphrase if you're concerned that it might have leaked... not without expiring all the keys (for which no facility really exists in the Bitcoin space if you've given any of those keys out).

The actual scheme here prevents the non-linkable usage even when used perfectly, because it's not possible to take a random unrelated private key and convert it into a mnemonic in this scheme; so the bad use by people actually does have an effect on everyone else. (Except by not using the 'deniability' feature at all and just keeping two totally separate wallets)

Stated another way; Absent the brainwallet anti-feature it's possible to have a scheme where a mnemonic exists and is easily computable for any combination of password and private key, and in such a scheme the existence of a mnemonic, password, and pair of keys does not automatically undeniably prove their linkage. You can't have that in a scheme which is designed to not need any persistent storage, however. Probably not a big deal, but enough that I think its a bit sad and ironic to see people use something to gain the 'feature' of denyability when they would be better off not using it; the feature should probably be called "multiple wallets with less written down", which may well be interesting to people-- but probably an entirely non-overlapping set of people.

The comparison to brainwallet is inaccurate. Would you call bitcoin core's encrypted wallet a brainwallet? Of course not unless you stretch the definition to the point of being silly.

You misunderstand. The lack of checksum enforcement on the mnemonic means that many people directly use the 'mnemonic' as a "brainwallet". The suggested uniform mnemonic encoding approach is completely non-normative. (This was an intentional design feature, and at one point a draft of the BIP basically advocated the usage; this was a quite controversial proposal, if you may note some of its former authors even had their names removed from it due to disputes about the construction; the state of the BIP was as far as the community was able to push the remaining authors away from that kind of dangerous construction; but its still possible to use it that way and many people do).

However, gmaxwell suggests that it is unreasonable to assume such ineffectiveness on the part of the ninjas and, once the secret master key is revealed, absurd for the suspect (after already admitting to owning the dummy wallet) to claim that the secret wallet is not his.

I see nothing in the details which makes it weaker than a hypothetical KDF...

Nor do I. The PBKDF2 looks technically sound to me (assuming the choice of a sound hash function) but then again I'm not a cryptographer. I really don't know what gmaxwell was driving at with the "woefully weak KDF" comment.

The intensity of the PBKDF2 at 2048 iterations is almost completely ineffectual, it's likely not worth the code/implementation complexity.

For comparison, on my laptop bitcoin core chooses about 200,000 iterations for its wallet encryption (it dynamically picks a number that takes 100ms to decode)-- and it only uses one core (if we redo wallet encryption in a new format we'll be sure to fix that).

Part of it is because the application space of BIP39 is unclear. If the keys are chosen securely then there is no gain from having a KDF (and no real harm in having a weak one, except for code complexity). If people use it like a brainwallet then given what we know about how users choose "random secrets" then the KDF is seriously inadequate; considering the infrequency of use and the huge attacker advantages (precomputation because brainwallet schemes cannot be effectively salted, and hardware advantages) you'd likely want something that takes several seconds on the best hardware the user has access to.

I see at least one error in your addition implementation (I can point it out if you really want, but I think if your goal is to learn, you will learn more if I don't; if your goal is to get something working I suggest rethinking your goal)..., What are you trying to accomplish? If you want to make an implementation to actually use your approach (kludging together a result from semi-tech popular press books, rather than stepping back and understanding first principles) will be horrifyingly slow and likely end up broken or insecure.

If you're just trying to learn, you should probably step back and work on each component one at a time so you know exactly where your error is, and so you can gain some understanding. E.g. write tests for your field multiplies, field adds, write a test for your modular inverse (try lots of numbers, invert and multiply by itself to check the identity). You don't necessarily have to have the answers to check against... check the algebraic identities. e.g., for points:A = G + GB = A + GC = B + GD = C + GB == D + -AD == B + AA == C + -AA + C == B + BInfinity = C + -C.A + D + -A == -D + D + D... and so on.

You've got a "deniable" mnemonic written down, with a few bitcents in it.

The 'real' wallet is a word or two changed from what you've written down.

Ninjas bust in your doors and demand your keys. They find the mnemonic and aren't impressed by your cover-- they found your house due to your purchases at their dry cleaning cover operation and their records show you have hundreds of coins and transactions not reflected in the wallet they've found.

They torture you-- as ninjas are known to do-- but somehow you resist the lead pipe cryptanalysis. Unfortunately for you, they also own a laptop computer with a fast gpu an in a fraction of a second they've found your other wallet just by searching a few billion nearby keys; alternatively they turn on your computer and find the missing word(s) in your swap file (most (if not all) BIP39 implementations have no ability to mlock their memory), or they find it loaded into some 'hardware wallet' and defeat the pitiful physical security with a flick of a jtag enabled throwing star.

Now they have your secret stash, you think: oh well, you're not worse off that if you hadn't used the deniability... But actually:

They tell you the penalty for the anti-ninja sources of funds they find in that wallet is death-- you plead "No, that wallet must be my _evil inlaws_, not mine!" but your claim isn't just implausible, it's absurd. The partial mnemonic is in your handwriting; weakly you protest "I'll tell the ninja overlord that you made me write it!" but there is no chance another randomly selected key maps to a mnemonic that anyone could possibly ever find, so the overlord will know both of those addresses started with the (same) mnemonic and couldn't have been produced the other way around. The first 'cover' one was well linked to your identity-- in your effort to make the cover more plausible you made the (undeniably) linked sibling more undeniable linked to you.

If instead the attempt at deniability were implemented as a difference between two keys and coded bijectively, using keyed permutations instead of hashing, such that for any pair of keys there was some set of words that encoded the difference between them; the story would still be sad (because the ninjas will likely run of of patience before you finish your cryptographic explanation) but perhaps less so-- they really could have picked any two random addresses, computed the linking words between them, and coerced you to write them down; perhaps your plea to the overlord would be heard.

Realistically, the deniability is operational security theater in any case. Virtually no users manage, nor does the software they use really support, operating with the kind of incredible fastidiousness required to sustain any level of real deniability against scrutiny stronger than a bored child. Preventing information leakage is insanely hard, far more so than most give it credit. I shouldn't complain, stunts like this (and software that encourages it) results in many more coins being lost then they could possibly protect for theft. Everyone elses Bitcoins become more valuable as a result, ... hurray, I guess? ::shrugs:: I protest a bit just because it's weird to see something called 'deniable' when its so undeniably linked to its sibling once you do know all of them.

Effectively BIP39 is a thinly veiled brainwallet scheme with a woefully weak KDF. It's prone to misuse, and when misused it picks up all the bad properties you might expect it to pick up.

Assume I do recover the full mnemonic (e.g. from sniffing if off your computer). Because the mapping is one way (it's not an efficiently computable bijection) I can trivially prove that all the private keys that I do happen to know of are all linked to (and derived from) the same mnemonic (fragment).

I don't think that it is. A transaction is an event that consumes inputs and creates outputs. Those outputs later become inputs in another transaction.

You've moved the goal-post there. The change outputs are _always_ to new addresses, they're in random order, that someone might guess that they were associated is true... but not something that selection policy can do much about.

but this board is also for the development and technic discussion of general projects for bitcoin i think. so advice for security update should fit in. if not, please advice me.

It very explicitly is not, please see the description of the subforum: "Technical discussion about Satoshi's Bitcoin client and the Bitcoin network in general. No third-party sites/clients, bug reports that do not require much discussion (use github), or support requests.".

Quote

#EDIT: it s good when linux distros backport only the fixes which used to remove vulns . but i think most users apply patching manually without waiting for official updatepatch. spescially webmasters. and also not sure what is sense of reformatting in the SAME TIME??? why not only fix vuln and in next version increment reformat codebase?

The disclosed vulnerabilities are not very exciting for Bitcoin implementations and I am not aware of any reason people should rush to deploy in the context of Bitcoin software (the subject of this subforum! your webserver is another matter)

The diff between 1.0.1l and 1.0.1m is over 700k lines of code because they also reformatted the whole codebase at the same time. If someone has told you've they've reviewed the changes carefully they're lying.

Gentoo (and, I believe, Debian) appears to be rejecting openssl's huge patch and is working on backporting the specific fixes.

I guess the greatest point to make is that the banking system is also heavily dependent on software and involves a lot of use of completely opaque software-- even opaque to the bank itself-- where subtle backdoors could be introduced and fraud could, in theory, be conducted which is indistinguishable from your normal activity, meaning that the banks normal 'fix it after the fact' might not work. So I don't think it would be correct to say that traditional banking is necessarily in a superior position with respect to the particular attack vector of subtle software backdoors.

Bitcoin is completely open and transparent software updates to it are reviewed by a great many people. We have some evidence that critical intentional errors would be caught on the basis of the less serious accidental errors which have been caught. Going further, even if a bad version is released, nothing pushes that onto users systems but the users themselves. New versions take a fairly long time to become widely deployed which allows time for additional review and analysis.

You're also right to point out that if there were some catastrophic failure which everyone agreed was a failure the community of Bitcoin users wouldn't just say "oh well, we have to live with it". Actions external to the system could correct most things, though it's hard to reason about that because it's assuming the system failed and it'll be upto messy human politics to resolve things.

Ultimately I think the best description here would be to say that Bitcoin is differently strong from banks. It has different weaknesses-- it's believed to be more sensitive to software engineering and to end-user security, and it's believed to be less sensitive to political abuse, uncertain economic policy, and various kinds of uncasual fairness. In practice Bitcoin could be either more or less secure than traditional banks, depending on your own practices and exposures (e.g. if you make large cash transactions you are more exposed to random seizures with banks, if you get malware on your computer you are more exposed to Bitcoin theft); and unpredictable activity going on in the wider world (compare vulnerabilities in Bitcoin software to the cyprus banking haircut).

From the perspective of straight computer security banks generally have awful security, but because they have almost limitless power to seize funds and reverse transactions in practice their security is usually okay. But not always--, the same unlimited seizure and reversal power contributes to many of the awful stories of completely unjustified civil forfeiture (and other kinds of adverse action without due process), or just the huge cost and collateral harm when the bank does make an error give reason to think carefully about how you manage your funds. The traditional banking system also leaves you exposed to monetary policy, where inflation continually devalues your money to the benefit of powerful third parties... Today, Bitcoin has substantial volatility risks and risks related to it being new and niche, but these and other reasons are points that may make it ultimately a productive and widely used tool for society.

I implemented what is effectively 'split routing' for Bitcoin Core some time ago (just a switch that makes it not relay transaction; so an additional utility can getrawtransaction and handle it some other way). But it's not currently compatible with the conflicted detection in Bitcoin core because the transaction says out of the mempool until its heard over the network and erroneously shows as conflicted, so I've been waiting for that to change. If someone is interested in working on this in Bitcoin Core, feel free to lemme know and I can point out what needs to be done. Primary difficulty is just in writing test harnesses and test cases, because this area of the software is under-tested currently so we're not comfortable taking changes without accompanying tests.

It would be straight-forward on top of that to provide a small sidecar daemon that handled your broadcasting for you (including by using fancy things like a high latency mix network).